Auditing is Windows' name for logging -- that is, recording certain activities to a file on the computer that can be held for some time.
What Can I Audit?
Account Management: e.g. Did an Admin mess with accounts? Did users change passwords?
Logon Events: Mostly obvious, but e.g. Did a user make a network connection to another computer?
Object Access: Files, folders, and printers. You can configure what stuff to watch.
Policy Change: All this security auditing stuff along with security policy.
Privilege Use: User uses certain rights like changing the clock.
Process Tracking: A program did something. Useful to programmers as a debugging tool. Not so useful to sysadmins.
System Events: Mostly restarts and shutdowns.
What is Required to Audit?
Any user with the "Manage Auditing and Security Log" user right.
An NTFS volume.
Turning On Audit: How Do I Audit?
Auditing is controlled out of Local Security Policy: Start > Control Panel > Performance and Maintenance > Administrative Tools > Local Security Policy.
In Local Security Policy: Security Settings > Local Policies > Audit Policies
Configuring Resources: Auditing Files and Folders
Two step process: First, turn on this type of auditing in the Local Security Policy area (see section above), then configure it.
Open a file explorer
Right click file or folder and choose Properties
Select Security Tab and click Advanced button
Click Auditing tab. If there's no auditing tab, it's because you didn't turn on auditing files and folders. Go turn it on in Local Security Policy.
Click the Add button, select the users you want to audit
Audit Mini-Quiz
What is auditing?
What is an audit policy?
When you are auditing events on a computer running Windows XP Professional, where are the audited events being recorded?
What are the requirements to set up and administer auditing?
What are the two steps to setting up auditing?
By default, any auditing changes that you make to a parent folder (are/are not) inherited by all child folders and all files in the parent and child folders.
What Can I Audit?
What is Required to Audit?
Any user with the "Manage Auditing and Security Log" user right.
An NTFS volume.
Turning On Audit: How Do I Audit?
Auditing is controlled out of Local Security Policy: Start > Control Panel > Performance and Maintenance > Administrative Tools > Local Security Policy.
In Local Security Policy: Security Settings > Local Policies > Audit Policies
Configuring Resources: Auditing Files and Folders
Two step process: First, turn on this type of auditing in the Local Security Policy area (see section above), then configure it.
Audit Mini-Quiz